Was Ashley Madison Hacking Its Competitors?

Ashley Madison was recently targeted by hackers who dumped a massive trove of potentially life-ruining data from its users, who joined the site to find (and often engage) in extramarital affairs. So far the site’s parent company, Avid Life Media, has condemned the hackers (when they're not downplaying the extent of the data dump). But a series of e-mails, found in the third Ashley Madison data dump and sent between two of the company’s executives, suggests that, at one point, Avid Life had the ability to hack into the user base of a rival company, and at least openly speculated about exploiting the security issue.

The e-mails from Avid Life C.E.O. Noel Biderman’s inbox, brought to attention by the tech blog Krebs on Security, revealed that in November of 2012, the site’s founding chief technology officer, Raja Bhatia, told Biderman about a security flaw in rival Nerve.com’s platform that allowed him to mess around with the company’s user information. (According to security blogger Brian Krebs, this was right around the time that Nerve, which was “experimenting“ with a dating site at the time, approached Ashley Madison about a potential partnership, and at one point in the negotiations, included the option to buy a stake in their company or to purchase nerve.com outright. The deal never went through.)

“They did a very lousy job building their platform. I got their entire user base,” Bhatia wrote.

Bhatia then detailed that he had done “a little digging” into how Nerve's site worked. “They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc.”

Basically, Bhatia had gained access to nearly everything about a user, and in a further email to another employee, he added that “I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc."

Biderman wanted to take advantage. “Holy moly..I would take the emails...” he replied.

But Bhatia wasn't keen. “can't do it.. want to be able to look my son in the eye one day.” Bhatia did, however, demonstrate to Biderman how to complete the process, and sent a .txt file apparently containing a wealth of information on a Nerve user. The file included an email address, seemingly hashed password, and plenty of other data.

Bhatia also posted a link to a secret page on a Github account with the allegedly stolen data of a Nerve user. When Motherboard accessed the link, the data was still live and the page looked legitimate. It was linked to the profile of "raja."

It wasn’t clear whether Bhatia or Biderman actually did manipulate nerve.com’s user base, or whether they alerted Nerve to the security issue. (Krebs notes that six months after they learned of the issue, Biderman asked Bhatia via e-mail whether he should alert the C.E.O. to the “security hole” during an upcoming meeting, and Bhatia appeared not to have responded.)

In a statement to Motherboard, Avid Life said that the e-mails were taken out of context, and that Biderman was just asking Bhatia to help him with “due diligence” on a partnership Nerve wanted to conduct with them.

“This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm,” they wrote. “At no point was there an effort made to hack, steal or use Nerve.com's proprietary data.”

Although the company recently offered a $500,000 bounty on information that leads to the perpetrator of the hack (a group called the Impact Team took credit), the effects of the dump have already wreaked reputational havoc on its over 32 million customers: destroying the images of several celebrities, sparking government inquiries into its own employees using the service, and possibly causing untold strife amongst compromised users.